Hotfixes By E-Mail

Opinion: Microsoft has created self-service for hotfixes. It's easy to do, but is the process secure?

Microsoft has a bad reputation for issuing fixes for software problems, but they do fix lots of them, all the time. Its inevitable for a company with so many products used by so many people. Usually, before bug fixes are rolled into a general-distribution patches, service packs or new version, they are issued piecemeal as "hotfixes."
Hotfixes arent put up on the Web for any and all takers. Microsoft has testing standards for fixes put up for everyone, and hotfixes dont meet them. They are designed to fix specific problems and are not exhaustively tested to find edge cases where they cause problems, for instance, with other programs. Its not uncommon for such problems to turn up over time.
They recommendand this is very good advicethat you only install hotfixes on systems that are experiencing the problems they address. Its common for you to have to uninstall hotfixes on systems in order to apply service packs and other official fixes, so use them only when necessary and keep track of where you use them.

It used to be that to get a hotfix you had to contact Microsoft support services and explain why you needed it. Now Microsoft has a system for ordering hotfixes by e-mail. On this Web page you can specify the knowledge base article describing the problem, your processor type and an e-mail address. The submission form replies with "A Microsoft Professional will respond to you via e-mail within 8 business hours." The page and the form it submits are https, and the certificate is signed by GTE Cybertrust, so Im certain enough its for real, although this would be a good place for an EV certificate.
Not that I really had the problem, but I tried it with this bug (KB913384) Within minutes an e-mail arrived from nahotfx@microsoft.com that contained an http (not https) link on hotfixv4.microsoft.com to a file (295549_intl_i386_zip.exe). It read back the information I had presented in the Web form, so Im satisfied its genuine. The file is a password-protected self-extracting .zip, and the e-mail also contains the password for opening the file.
Even though I get the sense this is a good system, clearly there are potential problems with it. Lets say Im a busy administrator and I get one of these e-mails, maybe sent to a generic address like support@mycompany.com. Maybe one of the guys asked for it. There are enough clues in the real message that I can protect myself with a healthy skepticism.
Then I download the file and things get a little fishier. The file is a self-extracting .exe and is not digitally signed. It shows "Unknown Publisher." Looking at the file properties in Explorer shows nothing about Microsoft. The company is Xceed Software and the Description is "32-bit Self-extractor module." Incidentally, Kaspersky Anti-Virus generated a warning about it being a password-protected .zip. Fair enough, Ive been warned.
It extracts into two files: hotfix.txt, which has superficial instructions and some other information (mostly the "Disclaimer of Liability"), and NDP20-KB913384-X86.exe, the actual hotfix package, which Kaspersky has no problems with. This file is digitally signed, by Microsoft with a VeriSign-issued certificate.
The hotfix program is also notable for the wealth of file properties on the Version tab. There are properties pointing to the knowledge base article, the processor architecture, the build date, and a detailed description. Excel.exe doesnt have half this stuff. This is unrelated to security, but its interesting.
I was leery of the security of the hotfixes-by-e-mail process until at the end I reviewed it all. They could improve some things, but I think any attacks that would take advantage of it would probably spoof it rather than exploit the actual process.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap HackMore from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.